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METHOD AND SYSTEM FOR CONTROLLING AN ELECTRONIC INSTRU- 
MENT FOR ME TROLOG I CAL MEASUREMENTS 

The present invention relates to a method and system 
for controlling an electronic instrument for metrological 
measurements . 



In particular, the present invention relates to a 
method and system for controlling electronic instruments 
for metrological measurements including an application 
15 for handling the measurement effected by the instrument. 

Said instrument for metrological measurements can 
be, for example, an instrument situated inside a gasoline 
pump, suitable for measuring the flow of gasoline. 



For the purposes of the present invention, applica- 
tion for handling the metrological measurement means a 
software or a processing program which can acquire, proc- 
ess, visualize and print the data relating to the meas- 
urement effected. 

As is known, metric instruments are, according to 
25 the law, subjected to periodic controls which consist in 
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ascertaining their constant metrological reliability with 
time, with the aim of protecting the integrity of seals, 
also electronic, and labels or other protection elements 
envisaged by the law in force. 
5 An authorized person (metric officer) is charged 

with performing these controls, which refer, for example, 
* to the integrity of both the structure of the measuring 
instrument, and also to that of the applications or proc- 
essing programs contained in said instrument. 
10 Integrity of the applications means that the ap- 

plications have not been subjected to interventions which 
can alter the integrity and originality of the software 
application which runs the instrument for metrological 
measurement . 

15 Said seals which guarantee the integrity and origi- 

nality of the application are currently of the hardware 
type, for example lead seals. 

The Applicant has observed that for these controls 
the operator (metric officer) must go to the place where 

20 the measurement instrument is installed and check the in- 
tegrity of said hardware seals. Should the supplier of 
the application issue a new updated version of said ap- 
plication, the metric officer must go on site to remove 
said seals and insert the new ones, after verifying the 

25 correct functioning of the updated version of the appli- 
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cation. 

The intention of the Applicant is to simplify certi- 
fication operations of software applications for elec- 
tronic instruments for simple metrological measurements 
5 and make them reliable. 

The Applicant has achieved a method and system for 
controlling an electronic instrument for metrological 

« 

measurements, wherein a control application, residing on 
a computer connected to said measurement instrument, for 

10 example through a network, checks whether the handling 
application of the measurement effected by the instrument 
has undergone alterations, violations, modifications or 
similar variations. This control of the handling applica- 
tion of the instrument results in the emission of an 

15 authenticity stamp. 

The control application preferably determines 
whether the handling applications satisfy the following 
conditions : 

* the handling application installed on the instru- 
20 ment must conform with what is certified at the start of 

the instrument; 

* the handling application installed on the instrument 
cannot be unduly interfered with; 

* any variation in the handling application installed 
25 on the instrument must be evident and acknowledgeable; 
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* the presence of a different handling application 
must be acknowledgeable; 

* the techniques adopted must guarantee that all the 
aforesaid actions are carried out in a context of data 

5 security, using suitable cryptography techniques, digital 
signatures, certifications etc.; 

* all relevant actions in the sphere of variations in 
the programs which can be effected by the instrument, 
must be marked on carriers that cannot be modified by 

10 third parties. 

The controls are generally such as to allow a defi- 
nite reconstruction of the actions effected on the han- 
dling application of the instrument. 

An aspect of the present invention relates to the 

15 controlling system of an electronic instrument for me- 
trological measurements, including a local processing 
computer which comprises a handling application of said 
instrument, characterized in that it includes a control 
application for said handling application, which can be 

20 associated with said local computer, said control appli- 
cation being suitable for generating a univocal certifi- 
cation code for the application. 

A further aspect of the present invention relates to 
a method for controlling an electronic instrument for me- 

25 trological measurements, said instrument being associated 

4 
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with a local processing computer including a handling ap- 
plication of said instrument, comprising the following 
steps : 

* receiving, at the start of the handling application, 
5 information contained in said local unit referring to the 

handling application; 

* processing said information through a comparison 
with pre-memorized information; 

* issuing a univocal certification code which can be 
10 associated with said handling application; 

* printing on paper a stamp containing said univocal 
code • 

The characteristics and advantages of the method and 
system for controlling metrological measurement instru- 
15 ments according to the present invention will be better 
clarified and appear more evident from the following il- 
lustrative and non-limiting description of an embodiment, 
with reference to the attached figures, wherein: 

figure 1 is a block scheme of the control system ac- 
20 cording to the present invention applied to generic cli- 
ent uses; 

figure 2 is a block scheme of the control system ac- 
cording to the present invention applied to a fuel sta- 
tion for motor vehicles; 
25 figure 3 is a representation of a "software stamp" 
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according to the present invention; 

figures 4a-f represent visualization cards of the 
control application according to the present invention . 

With reference to the aforesaid figures, the system 
5 according to the present invention preferably comprises a 
central processing unit (server) (2), and at least one 
local processing unit (3) in which there is at least one 
handling application of a metric instrument (4) . This 
central processing unit preferably also includes a han- 
10 dling application of a metric instrument (4) . 

The connection between said central unit and the lo- 
cal units is preferably obtained through a traditional 
telecommunication network, a LAN network, for example, an 
Ethernet network, or an Internet connection. In general 
15 said network allows applications and programs, physically 
residing in a memory of said central processing unit, to 
be used in said local units. 

Figure 1 shows, as an example, three local stations, 
as the system of the present invention is also capable of 
20 controlling a series of local units contemporaneously. 
One of the local units indicated in figure 1 comprises 
two handling applications (4) of an electronic instrument 
for metrological measurements, as the system of the pres- 
ent invention contemporaneously and equivalently controls 
25 one or more applications inside the local unit itself. 
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Said central processing unit preferably includes at 
least one control application (21) of said handling ap- 
plications, in addition to at least one central applica~ 
tion (22) . 

5 At least one dynamic library (6) of functions which 

can be associated with said control application (21), is 
preferably present on both the central processing uiiit 
and the local units, said library acting as a connection 
between the handling applications and the control appli- 
10 cation. 

Figure 2 shows an application example of the control 
system according to the present invention, applied to a 
fuel station for motor vehicles, indicated, as a whole, 
with reference number (7) . 
15 The fuel station includes at least one gasoline pump 

(71), containing inside said metrological measurement in- 
strument, suitable for measuring the flow of gasoline 
from a pump. A local processing unit associated with said 
pump includes said handling application, as described 
20 above, which controls the measurement instrument. 

Said fuel station also includes an automatic distri- 
bution pump (72), suitable for allowing the pumps to op- 
erate in the absence of personnel. This pump is activated 
by inserting a certain amount of money, in the form of 
25 banknotes or credit cards, bancomat or similar. Inside 
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this column there is, for example, a further local proc- 
essing unit. 

Other local processing units are situated, for exam- 
ple, in sales and/or distribution points of products (74) 
5 of the fuel station, accounting and/or administrative of- 
fices (75) . 

According to the example of figure 2, the central 
processing unit (73) connects the aforementioned local 
processing units so as to form a network. 

10 According to the" present invention, the control ap- 

plication is preferably contained in the central unit 
(73) . Alternatively, if the fuel station is not connected 
by a network, but comprises at least one local processor 
associated with a metrological measurement instrument, 

15 said control application is installed inside said local 
unit. 

The handling application of the measurement instru- 
ment preferably comprises an authenticity certification, 
which is provided by the application author. This certi- 
20 fication includes a digital signature which is imple- 
mented, for example, by means of an RSA cryptography pro- 
tocol . 

This digital signature, through a mechanism of pub- 
lic and private keys, guarantees the authenticity of the 
25 handling application with which said key is associated. 
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A technological note which implements said digital 
signatures is the Microsoft® Authenticode ™ technology 
which verifies that a certain application has a valid 
certificate, or that the identity of the application pro- 
5 ducer corresponds to what is certified and that the cer- 
tificate is still valid. This is achieved by applying a 
digital signature to the software code, which allows re- 
mote clients to check the reliability of the application 
editor. 

10 According to the present invention, the control ap- 

plication is capable of reading said digital signatures 
and acknowledging their authenticity. If said authentic- 
ity is not verified, the control application emits a sig- 
nal and interrupts the start of the handling application 

15 which contains the non- valid digital signature. 

Furthermore, the control application acquires some 
information on the unit on which the application to be 
controlled resides, in order to create a single data 
bank, connected -to the unit itself. Possible examples of 

20 information which can be useful for controlling the ap- 
plication are: 

• series number of the network card, 

• series number of the hard disk, 

• univocal identification of the data processor, 
25 etc.. 

9 
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In the case of network conf igurations, the control 
application also univocally identifies the machines con- 
nected by the network through their local application 
component, so as to be able to react to any possible 
5 variations in the network configuration. 

Once the aforementioned information has been ac- 
quired, the control application processes all the data 
and creates a synthesis of a limited dimension- This syn- 
thesis can be obtained, for example, by means of so- 
10 called cryptography "hashing" algorithms ( SHA, RSA, etc..) 
and generates a univocal code which is called "software 
stamp", which is printed from these local units and asso- 
ciated with the controlled handling application. 

This univocal code is preferably printed, for exam- 

* 

15 pie, in the form illustrated in figure 3, which refers to 
the certification of a handling application called SINP, 
version 2.0.1, produced by the same Applicant and granted 
on September 13, 2001. This stamp (8) also shows a stamp 
printing date (81), a fuel station code (82), a bar code 

20 (83) corresponding to said univocal code of the software 
stamp. 

The handling application operates as follows. 
At the start of the handling application (4) to be 
controlled, the control application (21) is automatically 
25 called by means of said dynamic library (6) associated 
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with the handling application in the local unit. 

Information on the handling application itself is 
acquired through said library. 

The application is validated using the verification 
5 of said application certificate, for example according to 
the rules of the Microsoft® Authenticode ™ standard. 

The control application (21) acquires some informa- 
tion on the local processing unit (3) on which the han- 
dling application (4) resides, in-order to create a sin- 
10 gle data bank for recognizing the unit itself. In the 
case of network configurations, the handling application 
also univocally identifies the other units present on the 
network, through all dynamic libraries (6) present in 
each local unit, so as to able to react to any possible 
15 variations in the network configuration. 

Once all the aforementioned information has been ac- 
quired, a "software stamp" is emitted, as described 
above, which is memorized in said local processing unit 
and bound to the controlled handling application. 
20 All the applications effected by the control appli- 

cation on the handling application to be controlled, are 
preferably collected in a file, whose integrity and con- 
sistency is checked in order to verify that no cancella- 
tions or manipulations have been made. Any possible in- 
25 consistencies found in this phase, produce a signal and 
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prevent the start of the applications. 

If an updating of the handling application is de- 
sired, for example by installing a new version, the con- 
trol application emits a new software stamp. 
5 In particular, the control application detects that 

the application has changed and is no longer consistent 
with the information pre-installed through the software 
stamp. In this case, the authenticity of the new version 
of the handling application is checked. 
10 This control is* essentially carried out in three 

steps: 

• a control is made that the new version has been pre- 
pared by the same producer as the previous one, 

through said digital signature; 

15 • a control is made that the new version is subsequent 

to the previous one (for example, version 1.2 in the 

place of version 1.1); 

• a control is made that said version is consistent 
with the other applications, with which it operates, 

20 of the local processing unit. 

Once the above controls have been effected, the con- 
trol application proposes to the user to produce a new 
software stamp. The software stamp represents the neces- 
sary evidence, on a normative level, for the correct han- 

25 dling of the issuing of new versions. All the above is 
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obtained, in concrete terms, through a printout on paper 
which produces a model as illustrated in figure 3. 

Figures 4a-e represent a few examples of insertion 
and/or visualization masks generated by the control ap- 
5 plication during a survey on a handling application* 

Figure 4a illustrates a first mask (91) , which, at 
the start of the handling application of the measurement 
instrument, shows the univocal code of the software 
stamp. In this case, there was no modification in the 
10 handling application," and the handling application is 
consequently correctly started by pushing the key "OK". 
This mask is optional, in the sense that it can be put in 
evidence when the handling applications envisage the 
presence of a user at the start; when the start of the 
15 handling application is automatic, for example in corre- 
spondence with the tensioning of a plant, this mask is 
omitted. 

Figure 4b illustrates a second mask (92), which 
shows that there has been a change in the configuration 
20 of the local processing unit. This change can, for exam- 
ple, be an update of the handling application version or 
a change in the hardware and/or software configuration of 
the processing unit. 

In this case a comparison mask (93) is put in evi- 
25 dence, in which these changes are listed. In particular, 

13 
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an upper box (931) of said mask reveals the new applica- 
tions and/or versions of the application present on the 
local unit, and a lower box (932) reveals the substituted 
parts . The new configuration revealed by said upper box, 
5 must be confirmed by a push button present on the lower 
part of the card; the confirmation operation simply de- 
clares that the changes comply with the aforementioned 
authentication conditions. After this confirmation, a new 
univocal code is issued and a new software stamp is 
10 printed. 

The univocal code can, at this point, be inserted in 
said second mask (92) and, following confirmation, by 
pushing the key "OK", the system proposes a third mask 
(94) in which a confirmation is required (yes/no) that 
15 the modifications comply with the regulations on the met- 
ric test of the measurement instrument. 

In the case of confirmation (yes) , the system pro- 
poses a fourth mask (95) which communicates that the op- 
erations have been correctly effected and allows the cor- 
20 rect start of the handling application. 

In the case of lack of confirmation (no) , the system 
proposes a fifth mask (96), which communicates the impos- 
sibility of correctly starting the application, as the 
metrological operations have not been completed. 
25 In this case, the application can only be started for 
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effecting functional tests. 

The application is preferably developed according to 
modularity, re-use of the code and portability criteria, 
in order to guarantee the natural evolution which the 

. 5 control application will undergo during its life cycle. 
Respect of these requirements guarantees the possibility 
of adding new functions with limited impacts. For this 
purpose, when applicable, the use of programming lan- 
guages of the type known as "object oriented", is prefer- 

10 able. 

It is preferable, moreover, to use techniques which 
allow the application and the data format to be as inde- 
pendent as possible of each other. In this way, the ap- 
plication is ready for any possible data format changes 

15 and is advantageously compatible with other applications, 
devices or systems. 

All public interfaces, public data and functions are 
documented, in order to guarantee access to the control 
application code. The system variables preferably have 

20 mnemonic names and respect the code writing notations 
typical of the development environment (prefixes for in- 
dicating the data type, etc.). Each public function or 
method is suitably documented through a description on 
the function itself, and a functional description is 

25 specified for each parameter, including the validity in- 
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terval and the use in input or output of the parameter 
itself. 

The error codifications are preferably consistent 
with the remaining parts of the application and can be 
5 obtained from a single source (header file or resource) . 
In any case, any error code which can be generated by the 
application is documented and memorized in the applica- 
tion event register. 

Respect of the application longevity requirement in- 

10 evitably implicates the selection of architectures which 
are presumably supported for a period of time equal or 
longer than the assumed life of the application itself. 

The control application, according to the present in- 
vention, follows the operation modes, terminology and 

15 documents already known to users of the handling applica- 
tion and metrological measurement instrument, as much as 
possible, so that the user itself can consider the proce- 
dure as "familiar". In any case, the interfaces and de- 
signs of the masks are as simple and clear as possible. 

2 0 The most frequent operations are advantageously effected 
with the lowest possible number of passages. All opera- 
tions of the control application are coherently grouped 
into functional sets, to make them easily available. Ac- 
cess to the functions is preferably obtained by means of 

25 buttons or, when applicable, through menus, hyper-tests 

16 



WO 2004/046016 PCT/EP2003/0 12826 

or icons . 

The parts indicating commands or data must have suf- 
ficient dimensions to allow them to be clearly read. The 
dimensions of the interface elements should not however 
5 be too large, in order to prevent the elements themselves 
from becoming dispersive. 
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